Azure DevOps - Access Restriction Of Azure App Service Using Azure Management Portal

This article is divided into three parts,
  1. Azure DevOps
    Access Restriction of Azure App Service using Azure Management Portal – We will learn how to restrict access to the Azure App Service manually using the Azure Portal.

  2. Azure DevOps
    Bulk IP Address Restriction of Azure App Service dynamically using PowerShell– We learn how to leverage PowerShell scripting to dynamically do bulk insertion of IP Addresses for configuring access restrictions for the Azure App Service.

  3. Azure DevOps
    Automate Bulk IP Address Restriction of Azure App Service dynamically using PowerShell & Azure DevOps Pipeline We will learn how to automate the process of Access Restriction every time there is a change in the list of IP addresses using Azure DevOps Pipelines.
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Three methods
 
Prerequisites
  1. Azure Subscription
  2. Azure App Service

Introduction

 
Azure App Service is a PaaS offering from Microsoft Azure where we can host web applications. Once the web applications are deployed anyone can access the app over the internet.
 
Below are some scenarios where you might want to restrict the access of the App Service,
  1. Your application is an internal application hosted in Azure App Service and you would like to restrict the access only with your Organization IP Address or Network.
  2. Your application is not yet live and you want to allow access ONLY your internal team within a range of IP Addresses till your app goes live.
  3. You are using Deployment Slots and you don’t want to allow outside people to access the staging slots.
  4. You are getting automated scraping requests from a set of IP Addresses and you would like to block them.
  5. You would like to block internet access but you would like to Allow only azure services like Azure Application Gateway or Azure Front Service
  6. Your app is an API that is NOT meant to be accessed by public users by only consumed by trusted parties.
In this article, we will learn how to restrict or allow access to the Azure App Service using the Azure Management Portal.
 

Azure Management Portal

 
Let’s start by navigating to the App Service (or a Staging Slot) and click on Configure Access Restrictions link which is available in the Networking Blade as shown below.
 
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions
 
You will be taken to the Access Restrictions blade as shown below.
 
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions
 
Below are the components of the Access Restrictions blade highlighted in the above screenshot.
  1. The first tab shows all the access restrictions applied the Azure app service.
  2. The Second tab shows all the access restrictions that are applied for the Kudu website. You can learn more about Kudu here.
  3. Add Rule button can be used create a new rule to be applied for the access restrictions of the app service.
  4. And finally you can view all the existing access restrictions that are available for the current app service.
Let’s now add new access restriction rule on the app service by clicking on the Add Rule button.
 
In the Add Access Restriction blade, you can provide the following values to create a new Allow/Deny rule.
 
Parameter Description
Name The name of the rule.
Action Allow – selecting this option will let the user access the App Service from the given IP Address (in the IP Address Block) Deny – selecting this option will NOT let the user access the App Service from the given IP Address (in the IP Address Block)
Priority The priority given for this rule.
Type Select IPV4 (more on this below)
IP Address Block Provide the IP Address Range. If you would like to mention only one IP Address then provide something in this format 1.1.1.1/32
 
Note
This article focuses on the type IPV4. The process for IPv6 is also the same. However, the Access Restrictions feature allows us to control the access using the below types.
 
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – Source Settings
 
You can leave the rest of the fields as they are not mandatory and click on the Add Rule button to add the rule. Once the rule is added. You notice the below two changes.
  1. The new rule with the values that you have provided will be added.
  2. The existing Allow All rule with Priority 1 will be changed into Deny Rule with a priority 2147483647
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – App Service Tab
 
Once you add a new rule (either Allow or Deny) a Deny All rule (shown in the above screen) will be created and no one will be allowed to access the rule except the Allow rules ones which are allowed explicitly using the Access Restriction blade.
 
That’s it. We have added an Allow rule for a Single IP Address to access the Azure App Service. Users from other IP Addresses will not be able to access the Azure App Service. If they try to access then they would receive an error with the message “Error 403 Forbidden – The web app your have attempted to reach has blocked your access” as shown below.
 
Access Restriction of Azure App Service using Azure Management Portal
Azure DevOps – Access Restriction of Azure App Service using Azure Management Portal – Access Restrictions – Access Forbidden
 
In this article, we have learned how to manually allow/deny access to a single IP Address using the Azure Management Portal. In the next article, we will learn how to perform Bulk insertion of the IP Addresses using PowerShell.
 
Hope it helps. Happy learning.